Discussion: Auth 2.0 #440
Description
2+ years after tokens were implemented, it is worth talking about their current state, what can be improved and in which direction Ember Nexus' auth system should go.
The following requirements were active then, and are mostly active now:
- Tokens must be secure, e.g. without collisions and not predictable.
- Tokens should generally have a maximum lifetime.
- Tokens should be immediately identifiable as tokens, therefore implementing RFC 8959, which requires tokens to follow the template
secret-token:<token> - Tokens should be short.
- They are part of every HTTP request. Every byte we can save, has a cumulative effect.
- If Ember Nexus API chooses to support the CoAP protocol in the future, then the existing token scheme should be compatible. CoAP itself does not define limits (afaik), however in practice limits do arise from MTU sizes etc., resulting in a max usable token length of 200-512 bytes.
- Tokens should be able to be invalidated at any time.
- We do not benefit from decentralized auth systems like JWTs yet - every relevant API request has to query the database regardless, and simple lookups already use Redis for caching.
- The API is mostly used by machines, or other pieces of software. Humans rarely interact with the API directly.
Notable points which should be discussed are:
- Some sort of refresh token would be quite nice, especially when clients want to support long running actions using short lived tokens.
- Should we integrate some sort of cryptographic signing function for tokens? Similar to JWTs, just without some of the overhead?